Mailing List Archive

Hi Yuki,

"monitor interface traffic" if you only need to see the traffic
counters. You'll have to create a firewall filter and apply it on
interfaces if you want to log all packets and analyze them.

Chris.


-----Message d'origine-----
De?: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] De la part de Yuki Arif
(EID)
Envoy??: 06 June 2003 08:53
??: juniper-nsp@puck.nether.net
Objet?: [j-nsp] Monitor traffic

Hello all,

I am new in Juniper router. I have a question.

How do I monitor trafic which is on transit in interface cards ?

I was told by someone that command "monitor traffic interface" is only
monitoring traffic on the particular interface towards Routing Engine,
not the transit traffic. Is it true ?

Is there a command or procedure to monitor transit traffic on particular
interface ?

Thanks in advance.

Yuki
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

Friday, June 6, 2003, 8:52:33 AM, you wrote:
> Hello all,

> I am new in Juniper router. I have a question.

> How do I monitor trafic which is on transit in interface cards ?

> I was told by someone that command "monitor traffic interface" is only monitoring traffic on the particular interface towards Routing Engine, not the transit traffic. Is it true ?

this is correct. Since this command is running on the RE and we don't
pass all the transit traffic to the RE you can only monitor those
who are destined to the RE or sourced This command is the
equivalent of tcpdump

> Is there a command or procedure to monitor transit traffic on particular interface ?

Firewall

> Thanks in advance.

> Yuki
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Friday, June 6, 2003, 8:52:33 AM, you wrote:
> > Hello all,
>
> > I am new in Juniper router. I have a question.
>
> > How do I monitor trafic which is on transit in interface cards ?
>
> > I was told by someone that command "monitor traffic
> interface" is only monitoring traffic on the particular
> interface towards Routing Engine, not the transit traffic. Is
> it true ?
>
> this is correct. Since this command is running on the RE
> and we don't
> pass all the transit traffic to the RE you can only monitor those
> who are destined to the RE or sourced This command is the
> equivalent of tcpdump

Note, in addition to this constraint, certain headers (L1, L2 and L3) are
stripped from ingress packets before they are passed to the RE, therefore,
it is not possible to match on L3 headers (e.g. IP source address) for
inbound packets :-( monitor traffic interface <blah> running on a Juniper
has lots of constraints compared to tcpdump -i <blah> on a unix box.

> > Is there a command or procedure to monitor transit
> traffic on particular interface ?
>
> Firewall

This overcomes the problem of matching IP headers inbound, too. One thing
to beware of, though. If the stream of data you're logging is too large,
you will not be able to log everything because of the limitations of the
link from PFE to RE (100Mbps FE with a rate limit - 8000 packets per second
IIRC - for logged info).

Regards,

Guy

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPuBsg43dwu/Ss2PCEQIL+gCdFCqdAE9mDXRszZC6h+p06vdC64UAn3dR
j4egE/w5Bfd8J/QPfR2I51s6
=1Ol7
-----END PGP SIGNATURE-----

> Note, in addition to this constraint, certain headers (L1, L2 and L3) are
> stripped from ingress packets before they are passed to the RE, therefore,
> it is not possible to match on L3 headers (e.g. IP source address) for
> inbound packets :-( monitor traffic interface <blah> running on a Juniper
> has lots of constraints compared to tcpdump -i <blah> on a unix box.

what you do can do is that you write this to a file and during
writing we restore the L2-Header by adding dummy information and
then you can make all the filters you want and with other
application like ethereal. This works for the most common L2
encaps. At some point we might be able to add the fake L2
Headers also during reading so the offsets for matching object
is set correctly.

Josef

> Note, in addition to this constraint, certain headers (L1, L2
> and L3) are
> stripped from ingress packets before they are passed to the
> RE, therefore,
> it is not possible to match on L3 headers (e.g. IP source address) for
> inbound packets :-( monitor traffic interface <blah> running
> on a Juniper
> has lots of constraints compared to tcpdump -i <blah> on a unix box.
>

L3 info is always included in the JUNOS CLI output.

You can do a 'tcpdump -w' from the shell and save the file in raw format and read it later with your favorite libcap program.

As Josef pointed out, L2 pseudo headers will be added back in the saved raw file. You can then read the file from the shell with 'tcpdump -r'.

Note: Shell commands are not officially supported.


-Julian

Dear colleagues,

Let's face it, if it's not in the docs - it's not there.

Sincerely,
Alexander

On Fri, Jun 06, 2003 at 02:52:33PM +0800, Yuki Arif (EID) wrote:
| Hello all,
|
| I am new in Juniper router. I have a question.
|
| How do I monitor trafic which is on transit in interface cards ?

use port mirroring using a filter;

| I was told by someone that command "monitor traffic interface" is only monitoring traffic on the particular interface towards Routing Engine, not the transit traffic. Is it true ?
|

correct; - monitor traffic <ifl> forks a instance of tcpdump on the RE
which only "sees" traffic going to/coming from the RE;

/hannes

On Sat, Jun 07, 2003 at 12:26:21AM +0400, alex wrote:
| Dear colleagues,
|
| Let's face it, if it's not in the docs - it's not there.

alexander,

could you be less cryptic what you want us to do ?

improve documentation at what place etc. ?

/hannes